Beware, Samsung customers! If you have a Samsung Android-based phone running their TouchWiz user interface, your telephone can be wiped out by going to any web page that contains the code "tel:*2767*3855%23" in an HTML frame.

Important update: It's not only Samsung with TouchWiz. Apparently it's happening with other Android phones too.

The vulnerability has been confirmed on the Samsung Galaxy II and AT&T's Samsung Galaxy S III, but it's probably common to any Samsung Android phone running the TouchWiz UI.

Advertisement

Here's how it works: the HTML frame loads a tel: URL. This url tells the telephone that its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself. USSD means Unstructured Supplementary Service Data, special number sequences used by phone carriers to execute instructions in your phone.

Warning, don't click this from a Android phone:This page contains the code.

It's still not clear yet if the bug affects certain versions of TouchWiz or all of them.

We will keep updating this with new developments. If you have a Samsung phone and a backup and want to test it, please post the results in the comments or write to jesus@gizmodo.com. [Pau Oliva and Ekoparty via Twitter via The Verge]

Update:According to Dylan Reeve, "Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue."

Update 2: Dylan also points out that you can avoid the problem if you install an alternative dialer application through Google Play. He says he used Dialer One.

Update 3:Dylan reports that the security bug is not limited to Samsung phones:

The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I've personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).